Check UserNames

Hunt Hypothesis

The Check UserNames rule detects potential adversary attempts to enumerate or identify valid user accounts within an environment by checking for suspicious username patterns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of reconnaissance or credential harvesting activities.

YARA Rule

rule Check_UserNames
{
	meta:
		Author = "Nick Hoffman"
		Description = "Looks for malware checking for common sandbox usernames"
		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
	strings:
		$user1 = "MALTEST" wide ascii
		$user2 = "TEQUILABOOMBOOM" wide ascii
		$user3 = "SANDBOX" wide ascii
		$user4 = "VIRUS" wide ascii
		$user5 = "MALWARE" wide ascii
	condition:
		all of ($user*)  and pe.imports("advapi32.dll","GetUserNameA")
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate scheduled job (e.g., task scheduler or cron job) runs under a service account and generates user-related activity.
  Filter/Exclusion: Exclude activity from known maintenance accounts (e.g., svc_account, maintenance_user) or filter by process name (e.g., schtasks.exe, cron).

• Scenario: User Account Creation via Active Directory Tools
  Description: An admin uses ADUC (Active Directory Users and Computers) or dsadd to create a new user, which may trigger username checks.
  Filter/Exclusion: Exclude events related to dsadd, adsi, or ADUC tools, or filter by user account creation events (e.g., Event ID 4720).

• Scenario: Automated User Provisioning via Identity Management System
  Description: A tool like Azure AD Connect or Microsoft Entra ID provisions users, which may trigger username checks during sync.
  Filter/Exclusion: Exclude activity from known provisioning tools (e.g., AzureADConnect, Microsoft.Identity.Client) or filter by specific event IDs related to user provisioning.

• Scenario: User Login via Remote Desktop Services (RDS)
  Description: A user logs in via RDP (e.g., mstsc.exe) and the username is captured in the session, which may falsely trigger the rule.
  Filter/Exclusion: Exclude events where the process is mstsc.exe or filter by login source (e.g., RDP, Remote Desktop).

• Scenario: User Enumeration via PowerShell or Command Line
  Description: An admin runs a script (e.g., Get-ADUser, net user) to list users, which may generate username